maritime cyber-security what is the problem and what can be … · 2019-12-05 · maritime cyber...
TRANSCRIPT
Maritime Cyber-Security… What is the problem and what can be done about it?
G Wimpenny, J Šafář, A Grant, M Bransby
The Royal Institute of Navigation’s, International Navigation Conference, 20 November 2019 – Edinburgh, UK
General Lighthouse Authorities of the UK and Ireland, Research and Development
Cyber-Security
2
• Protect computers, programs, communications networks and data from attack, damage or unauthorised access.
• Affects us all in all walks of life.
IMO Guidelines on cybersecurity on board ships (MSC 96/4/1) - International Maritime Organisation February 2016
• Maritime Cyber-Security has lagged behind, but guidance has been published in recent years, such as:
The Application of Cybersecurity Principles to Marine and Offshore Operations - American Bureau of Shipping February 2016
Code of Practice Cyber Security for Ports and Port Systems - UK Department for Transport (commissioned by) August 2016
Maritime Cyber Threats
“The insurance industry may come to regard a vessel as unseaworthy if appropriate cyber-security measures are not taken”
– Legal panel discussion, Maritime Cyber Risk Conference, London 2016
3
“A cyber-threat is expected to cause a loss of life at sea”– Admiral Lord West
Image Credit: Wikimedia Commons
Many attacks aren’t high profile, but cause disruption and financialloss on a daily basis
4
Understanding the problem- IT and OT
OT: Operational TechnologyUsed to control physical processes
IT: Information TechnologyUsed for manipulation of data
5
- a generic example
IT: Risks Addressed?OT: Vulnerable?
RF: Vulnerable?
Understanding the problem
IT: Risks Addressed?
SANS State of ICS Security Survey 2019
Understanding the problem
• Many attacks are untargeted (automated scripts)• You are at risk, even if you think you are not!
• More sophisticated targeted attacks may be conducted for many reasons• Inter alia, extortion, theft, industrial espionage or to cause disruption and damage, including cyber-warfare.
“What element do you consider to be at the greatest risk for compromise to your Operational Technology / control systems?”
- how & why attacks occur
OT and IT Integration
7
- a very human problem
• OT increasingly • has remote (internet) access• uses ‘standard’ IT operating systems, hardware and software…this makes OT systems increasingly vulnerable to ‘IT like’ attacks
However….OT and IT staff have differing backgrounds, priorities and training which are unlikely to foster an understanding of each others roles and responsibilities…
Defending Against OT Attack
8
• Government OT security guidance available to protect critical national infrastructure….. published by:• UK National Cyber-Security Centre (NCSC)• French Network and Security Agency (ANSSI)• Swedish Civil Contingencies Agency (MSB)
• Technical advice to protect, detect and respond to cyber-attack• The human problem:
• Procedural and managerial advice: physical locks• Overcoming the OT / IT staff barrier:
Embed staff in each others departments for a period
The Human Problem
9
Encourage a culture of cyber-securitythe same way we encourage a culture of safety
• Cyber-Risk assessments before working.• Take immediate action if poor cyber-security is identified
….don’t ignore it or leave it to someone else • Report security breaches and near misses ….make it easy to report• Give staff confidence concerns will be listened to and acted on• Encourage staff to seek advice if unsure • Be responsible for your own and others cyber-security • Consider a ‘permit to work’ scheme
?
10
• Many data links not authenticated and vulnerable to spoofing
• Includes AIS• Allows spoofing of vessels (AIS Message 1,2,3)
• Allows spoofing of Virtual Aids to Navigation (AIS Message 21)
• Allows spoofing of differential GNSS corrections (AIS Message 17)
UnauthenticatedCommunications
12
• Signature ensures message integrity and authenticity• Use the ECDSA cryptographic algorithm with a 256-bit public key and SHA-256 hash function
• Timestamp links messages and prevents replay attacks
AIS Authentication
PUBLIC KEY AUTHENTICATION FOR AIS AND THE VHF DATA EXCHANGE SYSTEM (VDES)
G. Wimpenny, J. Šafář, A. Grant, M Bransby & N. Ward (ION GNSS 2018)
Conclusions
13
• Operational Technology (OT) is vulnerable to cyber-attack
• A poor understanding and culture clash exists between IT and OT staff• Government advice is available to secure OT
• All data communications need to be authenticated
• GRAD has proposed a technique to authenticate AIS and VDES
• Security is human problem, not just a technical problem
• Encourage a cyber security culture• Encourage it the same way we promote a safety culture (cyber-risk assessments)
14
G. Wimpenny, J. Šafář, A. Grant & M. Bransby
General Lighthouse Authorities of the UK and Ireland
Research and Development Directorate
T: 01255 245042
M: 07770 265652
Thank you
Backup Slides
Graph: SANS State of ICS Security Survey 2016
Understanding the problem
• Many attacks are untargeted (automated scripts)• You are at risk, even if you think you are not!
• More sophisticated targeted attacks may be conducted for many reasons